Skip to content

Commit eb7fd30

Browse files
Merge pull request #8022 from github/oscerd-GHSA-xq69-5h5v-x9x4
2 parents 34ab448 + b7a97bf commit eb7fd30

1 file changed

Lines changed: 117 additions & 1 deletion

File tree

advisories/unreviewed/2026/06/GHSA-xq69-5h5v-x9x4/GHSA-xq69-5h5v-x9x4.json

Lines changed: 117 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,19 +6,135 @@
66
"aliases": [
77
"CVE-2026-41731"
88
],
9+
"summary": "In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization",
910
"details": "JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "org.springframework.kafka:spring-kafka"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.0.6"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.0.5"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Maven",
43+
"name": "org.springframework.kafka:spring-kafka"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "3.3.16"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 3.3.15"
60+
}
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "Maven",
65+
"name": "org.springframework.kafka:spring-kafka"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "0"
73+
},
74+
{
75+
"fixed": "3.2.14"
76+
}
77+
]
78+
}
79+
],
80+
"database_specific": {
81+
"last_known_affected_version_range": "<= 3.2.13"
82+
}
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "Maven",
87+
"name": "org.springframework.kafka:spring-kafka"
88+
},
89+
"ranges": [
90+
{
91+
"type": "ECOSYSTEM",
92+
"events": [
93+
{
94+
"introduced": "0"
95+
},
96+
{
97+
"fixed": "2.9.14"
98+
}
99+
]
100+
}
101+
],
102+
"database_specific": {
103+
"last_known_affected_version_range": "<= 2.9.13"
104+
}
105+
},
106+
{
107+
"package": {
108+
"ecosystem": "Maven",
109+
"name": "org.springframework.kafka:spring-kafka"
110+
},
111+
"ranges": [
112+
{
113+
"type": "ECOSYSTEM",
114+
"events": [
115+
{
116+
"introduced": "0"
117+
},
118+
{
119+
"fixed": "2.8.12"
120+
}
121+
]
122+
}
123+
],
124+
"database_specific": {
125+
"last_known_affected_version_range": "<= 2.8.11"
126+
}
127+
}
128+
],
17129
"references": [
18130
{
19131
"type": "ADVISORY",
20132
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41731"
21133
},
134+
{
135+
"type": "PACKAGE",
136+
"url": "https://github.com/spring-projects/spring-kafka"
137+
},
22138
{
23139
"type": "WEB",
24140
"url": "https://spring.io/security/cve-2026-41731"

0 commit comments

Comments
 (0)